Charles Duross: Tips for managing third-party FCPA risks

According to data from Stanford Law School, nearly 90 percent of Foreign Corrupt Practices Act (FCPA) matters alleging bribery involve the use of third-party intermediaries. That figure has not wavered very much over the last decade. Often in bribery and corruption cases, the main culprits are employees and third parties who collude with one another and find ways to game the system.

“People who have an intention to circumvent internal controls will take efforts to do exactly that,” said Duross, now a partner at law firm Morrison & Foerster. “That will continue to be the challenge going forward for every compliance person.”

Most major companies have controls in place that make it difficult to move large amounts of cash externally. So, it’s not so much about having anti-bribery policies, procedures, and training in place—it’s about finding ways to improve and better scrutinize the compliance program.

“You have to assume some percentage of people are going to engage in bad conduct,” Duross said. For example, those looking to circumvent controls may mischaracterize the purpose of a third party with the intent of not bringing additional scrutiny upon it, such as categorizing it as a consultant rather than a business intermediary. “You are going to have to go back and audit that process on occasion to see if people are trying to game the system,” he said.

Duross recommended looking closely at third parties that help execute a contract. One example may be a third party who is awarded a contract that has a relative help build the infrastructure agreed upon, thus allowing bribery payments to be made on the back end. For compliance departments, it’s about taking lessons learned from these situations and applying them to establish additional internal controls, auditing, and scrutiny around the process, he said.

Sticking your head in the sand to a third party’s illegal activity is not a defense under the FCPA. In fact, the law specifically makes it illegal to consciously avoid actual knowledge of the underlying crime, also referred to as “deliberate ignorance.”

In the TPRM context, if you retain a third party knowing with “substantial certainty” it is engaging in illegal misconduct, it’s enough from a liability standpoint to hire that third party and not ask what it is doing. “Many, many FCPA cases are based on that,” Duross said.

Best practices

Consider the following to help reduce third-party risk:

Rank third parties by risk. Department of Justice and Securities and Exchange Commission officials have publicly stressed this on numerous occasions, as well as in guidance documents. Most sophisticated compliance programs weigh several criteria in ranking their third parties.

Examples may include looking at what region of the world the third party is located; what services it was retained to do; whether the rate, commission, or other compensation the third party is receiving is of fair-market value; and whether the individual connected to the third party is related to a former government official, recommended by a government official, or was a former government official.

“People who have an intention to circumvent internal controls will take efforts to do exactly that. That will continue to be the challenge going forward for every compliance person.”

Charles Duross, Partner, Morrison & Foerster

Companies often face the challenge of calibrating their ranking appropriately, Duross said. Taking too conservative of an approach will result in describing too many third parties as high risk. Some companies are recalibrating their ranking by coming up with a specific percentage limit of high-risk third parties, such as the top 5 or 10 percent.

Encourage a speak-up culture. Motivate employees to flag issues and report concerns—whether it’s reporting something to the hotline or reaching out to the chief compliance officer, supervisor, or manager directly.

“A hotline that is not used is kind of useless,” Duross said.

Employees need to know reporting misconduct will be welcomed. “That comes from the very top,” Duross said. You must have engagement from the C-suite that is encouraging that behavior and ensuring employees and others that making reports will not be viewed as snitching or being disloyal, he said.

Incentivize compliant behavior. Additionally, you can put in place reward opportunities, whether that means recognizing employees in a public way or giving bonuses that are baked into management’s key performance indicators.

Provide cooperation in investigations where third parties do not. Almost every company will voluntarily cooperate with an investigation. The same cannot be said about third parties.

In those circumstances, the company in understanding all the facts must look at its own ecosystem of information. This may include the due diligence profile of the third party, any payment history, the backup data of invoices, WhatsApp chats and other online communications, and maybe even doing on-site visits.

“When it comes to cooperation credit, you want to be strategic and thoughtful about it from Day 1,” Duross said. At the outset of any investigation, whether you voluntarily self-disclosed the matter or not, establish a “cooperation matrix,” which is a chart of all the things you should be thinking about in terms of cooperation credit, and track it. “I say that because, oftentimes, you forget what you did,” he said.

Determine whether to cut the third party loose. One factor to consider is whether there is any credible alternative in the marketplace. “At the end of the day, it might be a tough decision in the moment,” Duross said, “but often that can be the best decision.”

Track the third-party approval process. Once a decision has been made not to work with a certain third party, track it so the third party is not able to get approval elsewhere, Duross said. Be on alert for circumstances where one third party does not get approval for a contract but another third party does and then acts as a middleman to pass bribery payments along to the former third party.